Microsoft Azure Fundamentals (AZ-900): Complete Exam-Ready Masterclass

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

public cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

private cloud

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

hybrid cloud

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Cloud computing (canonical definition)

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Elasticity

The ability of a system to automatically or quickly add and remove resources to match changing demand, scaling out during peaks and scaling in when demand drops.

Scalability

The ability of a system to handle increased load by scaling up (bigger resources) or scaling out (more instances), often within minutes in the cloud.

Agility (in cloud context)

The ability to respond quickly to change by rapidly provisioning, modifying, and decommissioning resources and environments.

Capital Expenditure (CapEx)

Large upfront spending on physical assets such as servers, storage, and data center facilities, typically depreciated over several years.

Operational Expenditure (OpEx)

Ongoing costs to operate services, such as monthly cloud usage charges, support, and utilities, which scale with actual consumption.

Public cloud (canonical definition)

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

Private cloud (canonical definition)

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

Hybrid cloud (canonical definition)

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Cloud computing (canonical definition)

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Shared responsibility model (canonical definition)

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Infrastructure as a Service (IaaS) – canonical definition

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS) – canonical definition

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Software as a Service (SaaS) – canonical definition

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Example: Azure Virtual Machines

Azure Virtual Machines are IaaS. You manage the OS, middleware, and apps; Azure manages datacenter, hardware, and virtualization.

Example: Azure App Service (Web Apps)

Azure App Service is PaaS. Azure manages the OS and web server; you deploy and configure your application code.

Example: Microsoft 365

Microsoft 365 is SaaS. Microsoft provides and updates the full application suite; you manage users, access, and data settings.

shared responsibility model

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Azure region

A set of datacenters deployed within a specific geographic area and connected through a dedicated, low-latency network; the named location where you deploy Azure resources.

Region pair

Two Azure regions within the same geography that are directly connected and designed to support business continuity and disaster recovery, with separated locations and sequenced platform updates.

Availability Zone

A unique physical location within an Azure region, made up of one or more datacenters with independent power, cooling, and networking, used to increase availability and fault tolerance inside the region.

Latency (in Azure context)

The time it takes for data to travel between a user and an Azure service; typically reduced by placing resources in a region close to the majority of users.

Data residency

The geographic location where data is stored and processed, often driven by regulatory or organizational requirements; influenced by Azure region and geography selection.

Zone-redundant service

An Azure service configuration that automatically spreads resources across multiple Availability Zones in a region to improve availability and resilience.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Tenant

An instance of Microsoft Entra ID that belongs to one organization. It contains users, groups, and app registrations. All subscriptions in the organization are associated with a tenant for identity.

Azure subscription (main purposes)

A logical container for Azure resources that defines billing, quotas and limits, and a security/management boundary. Organizations often use multiple subscriptions to separate environments, departments, or customers.

Resource group

A logical container within a subscription that holds related Azure resources. Used to organize resources with a shared lifecycle and to apply RBAC and Azure Policy at a workload level.

Management group

A container above subscriptions used to group subscriptions and other management groups for governance at scale. Policies and RBAC assigned here inherit down to child subscriptions.

Role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Azure Virtual Machines

An Azure compute service that provides IaaS virtual servers in the cloud. You manage the OS, runtime, and applications. Ideal for lift-and-shift and workloads needing full OS control.

Azure App Service

A PaaS service for hosting web apps and APIs without managing underlying infrastructure. Azure handles servers and OS; you focus on code, configuration, and scaling.

Azure Container Instances (ACI)

A service for running containers without managing servers or orchestration. Suitable for simple or short-lived containerized workloads; often called serverless containers.

Azure Kubernetes Service (AKS)

A managed Kubernetes service for orchestrating containers at scale. Azure manages the control plane; you manage nodes and containerized workloads.

Azure Virtual Network (VNet)

A logically isolated, private network in Azure where you define IP address spaces and place resources such as virtual machines and certain PaaS services.

Subnet

A subdivision of a VNet’s IP address space used to group resources and apply network security rules at a more granular level.

Network Security Group (NSG)

A set of inbound and outbound security rules that allow or deny traffic to subnets or network interfaces based on source, destination, port, and protocol.

VNet Peering

An Azure feature that connects two VNets so resources can communicate using private IPs over Microsoft’s backbone network, without using a VPN gateway.

Site-to-Site VPN

A secure, encrypted tunnel over the public internet between an on-premises VPN device and an Azure VPN gateway, used for hybrid connectivity.

ExpressRoute

A private, dedicated connection between on-premises networks and Azure that does not traverse the public internet and offers more predictable performance.

Storage account

A secure, scalable container in Azure that provides a unique namespace and configuration boundary for services like Blob Storage, Azure Files, Queues, and Tables.

Blob Storage

Azure's object storage service for unstructured data such as images, videos, documents, and backups, organized as blobs within containers in a storage account.

Azure Files

A managed file share service in Azure that exposes file shares over SMB or NFS, allowing you to replace or extend traditional file servers.

Azure Queue Storage

A simple message queue service used to store and retrieve messages for asynchronous, decoupled communication between application components.

Azure Table Storage

A NoSQL key-attribute store for large volumes of semi-structured data, using tables, entities, PartitionKey, and RowKey.

Managed disk

An Azure-managed virtual disk resource used by virtual machines, built on top of page blobs, where Azure handles storage accounts and replication.

Microsoft Entra ID (canonical definition)

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Authentication

The process of proving identity; answers "Who are you?" In Azure, Microsoft Entra ID authenticates users, apps, and devices, often using passwords plus MFA, and issues tokens.

Authorization

The process of controlling access; answers "What are you allowed to do?" In Azure, authorization is typically enforced using RBAC roles and other access controls on subscriptions, resource groups, and resources.

Tenant

A dedicated Microsoft Entra ID instance for an organization. It stores identities (users, groups, apps) and acts as the security and identity boundary for Azure and Microsoft 365.

Azure subscription

A billing and resource container in Azure that holds resources like VMs and storage accounts. Each subscription is associated with exactly one Microsoft Entra tenant.

User identity

An account in Microsoft Entra ID that represents a real person, such as an employee or guest. It can sign in, be assigned licenses, and receive roles.

Azure Pricing Calculator

A web-based tool used to estimate future Azure costs by selecting services, regions, SKUs, and usage assumptions before deployment.

Azure Cost Management

The part of Azure Cost Management and Billing focused on analyzing, monitoring, and optimizing actual and forecasted Azure spending using cost analysis, budgets, alerts, and recommendations.

Azure Billing

The part of Azure Cost Management and Billing that manages invoices, payment methods, and billing scopes such as subscriptions under a Microsoft Customer Agreement or Enterprise Agreement.

Cost Driver: Region

The Azure region where a resource runs; different regions can have different prices for the same service due to varying infrastructure and energy costs.

Cost Driver: Data Egress

Charges that apply when data leaves Azure to the internet or between regions; inbound data is usually free, while outbound can significantly impact cost.

Budget (in Cost Management)

A configurable spending target for a subscription or resource group that can trigger alerts when actual or forecasted costs exceed defined thresholds.

Canonical definition of role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Security principal (in Azure RBAC)

The "who" in RBAC: a user, group, service principal, or managed identity that can be assigned roles to access Azure resources.

Role definition

A collection of permissions that describe allowed actions on Azure resources, such as Owner, Contributor, or Reader.

Scope (in Azure RBAC)

The boundary where a role assignment applies: management group, subscription, resource group, or individual resource. Permissions inherit from higher to lower scopes.

Role assignment

The combination of a security principal, a role definition, and a scope that grants that principal the permissions of that role at that scope.

Least privilege principle (in RBAC)

Grant only the minimum permissions required for a user or app to perform its tasks, using the least powerful role and narrowest scope that still meets the need.

Azure Policy (canonical definition)

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Policy definition

A policy definition is the JSON-based rule in Azure Policy that specifies the conditions to evaluate and the effect to apply when those conditions are met or not met.

Policy assignment

A policy assignment associates a policy definition or initiative with a specific scope (management group, subscription, resource group, or resource), determining where the rule is evaluated.

Policy initiative (policy set)

A policy initiative is a collection of policy definitions grouped together to achieve a single overall goal, such as enforcing a security or compliance baseline across a subscription.

Deny vs Audit (policy effects)

Deny blocks non-compliant create or update operations. Audit allows the operation but marks the resource as non-compliant in Azure Policy reports.

Resource lock: ReadOnly

A ReadOnly lock prevents any modifications or deletions of a resource or scope; users can read data but cannot change or delete resources even if RBAC would normally allow it.

Azure portal

A web-based graphical interface for managing Azure resources. Best for visual exploration, dashboards, one-off tasks, and learning how services are structured.

Azure CLI

A cross-platform command-line tool with commands like `az group create`. Ideal for scripting, automation, and DevOps pipelines on Windows, macOS, and Linux.

Azure PowerShell

A set of PowerShell Az modules that manage Azure with object-based cmdlets like `New-AzResourceGroup`. Well-suited to Windows admins and advanced automation.

Azure Cloud Shell

A browser-based shell environment that provides authenticated access to Azure CLI and Azure PowerShell, with tools pre-installed and persistent storage.

Best tool for: Visualizing policies, RBAC, and resource health

Azure portal – it provides blades for Access control (IAM), Azure Policy compliance, locks, and monitoring charts.

Best tool for: Bash-based automation from Linux

Azure CLI – designed for cross-platform scripting with simple, text-based commands.

Azure Resource Manager (ARM)

Azure Resource Manager is the deployment and management service for Azure that provides a consistent management layer to create, update, and delete resources across tools like the portal, CLI, PowerShell, ARM templates, and Bicep.

Resource group

A resource group is a logical container in Azure that holds related resources for an application or workload and allows you to deploy, manage, and delete them together.

Declarative Infrastructure as Code

A declarative IaC approach describes the desired final state of your infrastructure (which resources and configurations should exist) rather than specifying the exact sequence of steps to create them.

ARM template

An ARM template is a JSON file that defines one or more Azure resources and their configurations declaratively, using sections like parameters, variables, resources, and outputs.

Bicep language

Bicep is a higher-level, more human-readable domain-specific language for Azure that compiles to ARM templates, making it easier to author and maintain declarative infrastructure definitions.

Idempotent deployment

An idempotent deployment is one where running the same template or configuration repeatedly results in the same infrastructure state, without unintended side effects.

Azure Monitor

Azure Monitor is the central service in Azure for collecting, analyzing, and acting on telemetry from Azure resources, Azure platform, and some on-premises or other-cloud resources.

Metric (in Azure Monitor)

A metric is a numeric measurement collected at regular intervals, optimized for near real-time monitoring and trend analysis (for example, CPU percentage, requests per second).

Log (in Azure Monitor)

A log is a record of an event or data entry, often semi-structured, stored in a Log Analytics workspace and queried with Kusto Query Language for detailed analysis and auditing.

Log Analytics workspace

A Log Analytics workspace is a logical container in Azure where Azure Monitor stores log data in tables that can be queried with Kusto Query Language.

Alert rule

An alert rule defines the signal, condition, scope, and associated action group that determine when Azure Monitor should treat a situation as a problem and trigger a response.

Action group

An action group is a reusable collection of notification and automation preferences (such as email, SMS, push, voice, webhooks, and Logic Apps) that run when an alert fires.

Azure status page (public)

A public website that shows high-level health of major Azure services by region, focusing on broad, ongoing incidents. It is not personalized to your subscriptions or resources.

Azure Service Health

An Azure portal experience that provides a personalized view of service issues, planned maintenance, health advisories, and security advisories that affect your Azure subscriptions, services, and regions.

Service issues (in Service Health)

Ongoing Azure platform problems, such as outages or degraded performance, that affect one or more services or regions and may impact your resources.

Planned maintenance (in Service Health)

Scheduled work performed by Microsoft on Azure services or infrastructure that may affect availability or performance during defined maintenance windows.

Health advisories (in Service Health)

Notifications about important but not necessarily outage-related events, such as behavior changes, required configuration updates, or upcoming feature deprecations.

Security advisories (in Service Health)

Notifications about security-related issues or required actions that may be critical to protecting your Azure resources.

Defense in depth

A security strategy that uses multiple, layered security controls (identity, network, data, apps, governance, etc.) so that if one control fails, others still protect the environment.

shared responsibility model

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Azure Policy

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Microsoft Defender for Cloud

An Azure-native security posture management and threat protection solution that continuously assesses resources, provides secure score and recommendations, and can add workload protection through Defender plans.

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

public cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

private cloud

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

hybrid cloud

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.